exploiut-db:( C9 w. g8 P" p- s t3 }0 {
3 ~$ z3 M/ f; F( ]) b. [FCKEditor ASP Version 2.6.8 File Upload Protection Bypass2 ?; ~1 R& h) c( o J7 {1 `
5 ]6 q9 C+ w( p b) T4 G- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
7 V I4 U9 i. M- Credit goes to: Mostafa Azizi, Soroush Dalili, \1 p) }- n8 p
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
+ h! V/ s0 O& e: F0 {9 ^- Description:5 o7 C4 s' m; e1 @1 L4 P
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
; A2 x H' A/ gdealing with the duplicate files. As a result, it is possible to bypass0 G2 K8 j# H/ @7 |' }
the protection and upload a file with any extension.
( Q5 D, P5 b& [1 n& Z [- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
) r; E* u# h; s+ n" d$ X: S- Solution: Please check the provided reference or the vendor website.3 U" F( r$ N% `* n0 ?! |+ a- m0 p
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
" _1 g* f7 x8 D/ r"9 q. E% o. R0 v$ ^* P( L8 i
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:5 [4 S2 h% k* c1 o' C
In “config.asp”, wherever you have:
- A2 l; z1 l/ @$ J" {. H ConfigAllowedExtensions.Add “File”,”Extensions Here”9 {$ \- D4 }' T6 F3 G) l
Change it to:6 i: l$ F, d" r$ i0 A" d
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”7 r1 f" P; R. [# M
+ x# e; V, S- q4 @
) v9 L0 T2 d% q, u
- K( O" f% k; Z. @3 L
" j v3 j% n C% u# b! ~
6 [$ ~+ S; O' jphp测试无效: s' c" r/ b( U: G
asp/aspx测试成功:2 V/ ]+ m: E4 c. R
来到/FCKeditor/editor/filemanager/connectors/test.html* r0 f; a6 x/ I. w! v5 o7 q
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt5 p2 F D/ |9 v3 D+ u! ?
' Q2 m7 b0 k; i$ f* n$ X( r
burpsuite上传包并修改,repeater* h) b, q" T- s3 v: Q2 P% [5 {
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp2 C" w0 e( U: W. T: h
/ ?5 {. E& X- t+ F$ Z
如图,webshell为:http://localhost/userfiles/file/asd(1).asp/ _# ]4 I0 x. @7 ?
A3 z; i7 v/ j& j ] |